data/reports/GO-2022-0521.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.17.12
       - introduced: 1.18.0
         fixed: 1.18.4
     vulnerable_at: 1.18.3
     packages:
       - package: encoding/xml
         symbols:
           - Decoder.Skip
 description: |
     Calling Decoder.Skip when parsing a deeply nested XML document can cause a
     panic due to stack exhaustion.
 published: 2022-07-20T17:02:04Z
 credit: Go Security Team and Juho Nurminen of Mattermost
 references:
   - fix: https://go.dev/cl/417062
   - fix: https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3
   - report: https://go.dev/issue/53614
   - web: https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
 cve_metadata:
     id: CVE-2022-28131
     cwe: 'CWE-674: Uncontrolled Recursion'
     description: |
         Uncontrolled recursion in Decoder.Skip in encoding/xml before Go
         1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to
         stack exhaustion via a deeply nested XML document.
	modules:
	- module: std
	versions:
	- fixed: 1.17.12
	- introduced: 1.18.0
	fixed: 1.18.4
	vulnerable_at: 1.18.3
	packages:
	- package: encoding/xml
	symbols:
	- Decoder.Skip
	description: \|
	Calling Decoder.Skip when parsing a deeply nested XML document can cause a
	panic due to stack exhaustion.
	published: 2022-07-20T17:02:04Z
	credit: Go Security Team and Juho Nurminen of Mattermost
	references:
	- fix: https://go.dev/cl/417062
	- fix: https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3
	- report: https://go.dev/issue/53614
	- web: https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
	cve_metadata:
	id: CVE-2022-28131
	cwe: 'CWE-674: Uncontrolled Recursion'
	description: \|
	Uncontrolled recursion in Decoder.Skip in encoding/xml before Go
	1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to
	stack exhaustion via a deeply nested XML document.